Comments on: Secure IM in Gaim with OTR

By: Fabian Rodriguez

Fabian Rodriguez — Wed, 19 Dec 2007 00:45:31 +0000

Just a quick note to let anyone interested know that pidgin (formerly known as gaim) and pidgin-otr will be in the main repository starting with Ubuntu 8.04.

By: Stu Tomlinson

Stu Tomlinson — Mon, 07 May 2007 15:06:23 +0000

Paul,

> When folding two users into one, gaim has no way of selecting which of the multiple identities you will use to talk

Pidgin (and Gaim) has a ‘Send To’ menu to select which identity will be used.

Stu.

By: Paul Wouters

Paul Wouters — Tue, 03 Apr 2007 15:13:40 +0000

I just noticed this post, and as one of the develors and active promotors of OTR, I’m happy to see the adoption by Mark and others of Ubuntu.

Some ocmments:

- The “double” buttons is really a design problem in gaim. When folding two users into one, gaim has no way of selecting which of the multiple identities you will use to talk. And both might be using the other identity, resulting in two OTR sessions, and thus two buttons.

- “RSA is safer”. OTR is designed by two Computer Science professors, both graduates from Berkeley. It’s not some “home grown crypto”. OTR has other properties that it deems important that public key crypto systems do not have, such as repudiation (you can deny you said something, and the other party will not have any mathematical proof you said it)

- gaim-encryption : from the FAQ: The gaim-encryption plugin provides encryption and authentication, but not deniability or perfect forward secrecy. If an attacker or a virus gets access to your machine, all of your past [monitored] gaim-encryption conversations are retroactively compromised. Further, since all of the messages are digitally signed, there is difficult-to-deny proof that you said what you did: not what we want for a supposedly private conversation!

- cannot use RSA+OTR: it should work. If not, this might be a problem with the RSA plugin. Contact me if you want to see if we can find this issue.

Paul Wouters

By: chris penn

chris penn — Thu, 22 Feb 2007 08:38:01 +0000

I think RSA gaim encryption is more secure.
Just a note: if it has not been said, you can not use RSA an OTR together. Although, it looks kinda neat.

By: The UbuCon NYC at ISIS Blogs

The UbuCon NYC at ISIS Blogs — Fri, 02 Feb 2007 17:36:17 +0000

[...] The UbuCon is an unconference for Ubuntu users, developers, and sysadmins taking place on February 16th at the new Google offices in Manhattan. A few people from ISIS will be there to represent the interest of security in Ubuntu’s future development and hopefully moving improvements like GCC proactive security measures, encrypted LUKS partitions, and main inclusions of Seahorse and gaim-otr up to a higher development priority. If you’d like to join us add your name to the RSVP list and we’ll see you there (it’s free!). Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages. [...]

By: Gaby

Gaby — Tue, 30 Jan 2007 18:34:53 +0000

zfone inclusion (either native as is in Ekiga CVS or as a proxy or plugin to a to-be-coming gaim-vv work-alike) is quite like this and just as worthy a cause.

By: required

required — Fri, 26 Jan 2007 22:16:40 +0000

Someone should make a cross-platform plug-in for Firefox.

By: SixDays

SixDays — Wed, 24 Jan 2007 23:40:33 +0000

What is really needed is a plugin to rule them all, on all platforms and for all clients.
According to Sean Egan (lead developer of gaim) the plugin “voice and video” will be incorporated directly into gaim, but he could not give me a timeline for that actually happening.
This may seem of the topic, but it’s not.

Many weindogs/winblows/wintendo users on my IM refuses to switch to gaim or even to run it in parallell with the MSN original client solely based on “I need to see webcams”.

So I’ve concluded that either there need to be a cryptoplugin to rule THEM (msn, mirande, amsn, gaim, trillian, icq etc) all or gaim needs to have full webcam support.

By: Roshan Shariff

Roshan Shariff — Wed, 24 Jan 2007 18:12:52 +0000

Using Gaim voice chat to exchange shared keys is insecure, since anybody who can intercept your text messages can also listen in on voice conversations. You need to use an out-of-band medium, like the telephone or face-to-face (imagine that!)

Mark Shuttleworth says:

If you know the voice of the person, then you could do the voice confirmation in the same band, as long as you think that it’s unlikely that someone could pull off a real-time man in the middle voice substitution attack!

By: stephen o'grady

stephen o'grady — Wed, 24 Jan 2007 17:47:50 +0000

if you’re just discovering that, maybe you haven’t run across guifications yet. highly recommended if not.

apt-get install gaim-guifications

then ensure the plugin’s activated.